Bug 240200 - (CVE-2007-2754) CVE-2007-2754 freetype integer overflow
CVE-2007-2754 freetype integer overflow
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,source=redhat,reporte...
:
Depends On: 240573 240574 240575 240577 484441 484442 484443 484444 502565
Blocks:
  Show dependency treegraph
 
Reported: 2007-05-15 14:57 EDT by Josh Bressers
Modified: 2016-03-04 07:46 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-12-19 05:37:44 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Proposed upstream patch (892 bytes, patch)
2007-05-15 14:57 EDT, Josh Bressers
no flags Details | Diff
proposed backported patch to freetype1 (753 bytes, patch)
2009-04-16 13:21 EDT, Vincent Danen
no flags Details | Diff

  None (edit)
Description Josh Bressers 2007-05-15 14:57:20 EDT
Victor Stinner discovered an integer overflow bug in the way freetype processed
malformed TTF fonts:
http://lists.gnu.org/archive/html/freetype-devel/2007-04/msg00041.html

The patch can be found here:
http://cvs.savannah.nongnu.org/viewvc/freetype2/src/truetype/ttgload.c?root=freetype&r1=1.177&r2=1.178

It appears that this flaw will result in a heap overflow condition:

    flag_limit = flag + n_points;
...
    while ( flag < flag_limit )
    {
...
      *flag++ = c = FT_NEXT_BYTE( p );
Comment 1 Josh Bressers 2007-05-15 14:57:20 EDT
Created attachment 154762 [details]
Proposed upstream patch
Comment 3 Tomas Hoger 2007-12-19 05:37:44 EST
Problem was fixed in affected Red Hat Enterprise Linux:

  http://rhn.redhat.com/errata/RHSA-2007-0403.html

and Fedora versions.
Comment 5 Vincent Danen 2009-04-16 13:21:25 EDT
Created attachment 339881 [details]
proposed backported patch to freetype1
Comment 6 errata-xmlrpc 2009-05-22 08:06:35 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 2.1

Via RHSA-2009:1062 https://rhn.redhat.com/errata/RHSA-2009-1062.html
Comment 7 errata-xmlrpc 2009-05-22 08:22:25 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 3
  Red Hat Enterprise Linux 4

Via RHSA-2009:0329 https://rhn.redhat.com/errata/RHSA-2009-0329.html

Note You need to log in before you can comment on or make changes to this bug.